Computer Security – Why Defense in Depth is the Best Approach

Posted by Timothy Platt on Nov 12, 2017

Computer Security – Why Defense in Depth is the Best Approach

Here on “Patch Tuesday”, we’re going to discuss an important topic that we touched on briefly last week. We believe “Defense in Depth”, as applied to computer security, is the best way to mitigate the risk of security exploits and breaches. We’re going to describe the rationale and specifics of this multi-layered approach. We recommend this approach to all our clients.

What is “Defense in Depth”?

In its simplest form, “Defense in Depth” means having multiple layers of security mechanisms, as opposed to one. For a successful security exploit to occur, all the layers of defense must be circumvented – greatly increasing the difficulty of the attack and lowering the probability of success. Why is it important to not rely on any single method of protection? Because the scope, scale, and ever changing nature of these security threats – no single product or service can cover it all. But if you combine them, your chances of success improve greatly.

What Does “Defense in Depth” Look Like?

Here’s a practical example of a threat: a potential malware infection – which arrives via a “phishing” email. A “phishing” email is a forged, malicious email, with the intent being to trick you into visiting a compromised web site, or otherwise exposing some private information. In this case, let’s say the email contains a link to a compromised web site that hosts a malware potentially capable of infecting your computer.

Firstly, let’s hope by education and training you or your employees know what to look for in a suspicious email – training and knowledge are always the first line of defense. But on the other hand, the forgeries and convincing fake emails get more convincing every day. Also, everyone can slip up, we’re only human.

Hopefully this email will be recognized by Exchange Online’s heuristics for phishing emails, and sent directly to Junk mail, where it’s rendered less effective.

But, if it didn’t, and it made it into your inbox, your firewall (if it provides an anti-virus or intrusion prevention function) might block the access to the hacked website that hosts the actual vector for infection.

Maybe it doesn’t – but your anti-virus program recognizes the threat and neutralizes it as it downloads and attempts to take over your machine.

And lastly, maybe all those mechanisms don’t work, because the malware is very new – and an anti-virus signature doesn’t exist yet, but your machine is not vulnerable to the web hosted exploit, because it’s completely up to date on all the relevant Windows security patches.

That’s what we mean by defense in depth. There’s 5 different layers in that, all independent, that would have to be circumvented.

What are Best Practices for Computer Security?

We recommend as many as possible of the following be employed:

Security patching for user workstations and servers – All end user devices – workstations, desktops, laptops, and tablets should have vendor supplied security patches applied regularly. This means “Patch Tuesday” for Microsoft, and regular OS updates for MacOS. Similarly, all servers, including both Linux and Windows, should be security patched regularly.

Patch and Upgrade Applications – Applications, such as Office and Adobe Reader, can have security issues and problems just like your desktop operating system. Make sure you stay up to date.

Anti-Virus and Anti-Malware Scanning – Use Anti-Virus and Anti-Malware scanning programs on all vulnerable equipment, including both “real time” protection and scheduled scanning. Modern product use signatures (think of it as a finger print for a program) as well as intelligent heuristics to try and stop threats that haven’t been fingerprinted yet. In either case, these programs aren’t effective if they are out of date – make sure the base program and any relevant signature files are update regularly.

Email Junk Filtering – The most common vector we see is phishing emails, as described in the example above. Make sure your email provider or service has a high-quality junk or spam mail filtering capability. When it comes to that, the cloud services such as Office 365 Exchange Online or G Suite’s Mail simply cannot be beat. Their spam and junk filters have immense capability because they combine the feedback of millions of users globally. Your local onsite Exchange server isn’t going to be able to compete with that…

Upgrade your Device Firmware and Maintain Active Support Contracts – Think of this as security (and bug) fixes for hardware devices. Your firewalls, routers, switches, Wi-Fi access points and other such devices should have an active support contract always. This allows you to download and apply the latest firmware upgrades.

Utilize a Firewall with Intrusion Detection/Intrusion Prevention Features – Also known as “Unified Threat Management”, the modern firewall can provide several essential security functions. We recommend you use a firewall that has signature based monitoring to detect and interrupt exploits in real time. This is done by having the firewall analyze network traffic (flowing in or out of your office) in real time. Typically, you must have up to date maintenance or support contract for your device to receive the latest signatures. As a bonus, these devices can normally block websites that are known to be infected with malware – preventing “drive by” infection, which means there are certain browser vulnerabilities that can infect your computer by simply browsing to a website. Lastly, think of the firewall as the main gatekeeper between your users and the Internet. It pays to invest in an enterprise class device that has the robust features needed.

Upgrade mobile devices regularly – Smart Phones and tablets should be updated promptly when Apple releases a new iOS version (These releases include the security fixes, along with bug fixes and functionality improvements). The same concept applies for Android phones and tablets, although with the plethora of hardware models and service providers, it’s a little trickier. Additionally, consider security products such as MobileIron that help lock down and control mobile device usage. These tools can help ensure that users aren’t able to compromise security standards via their phones.

DO NOT use obsolete hardware and software – Once hardware and software goes “End of Life” – it’s no longer patched or updated by the vendor. Want an example? We still see lots of servers running Windows Server 2003. That product hasn’t been security patched in almost 2 years. You should upgrade to a newer version such as Windows Server 2012, or ideally 2016. The same concept applies to network hardware. A 10-year-old firewall isn’t going to be supported by the vendor. Any security bugs and issues will remain forever. While you are in the process of upgrading, make sure those servers and devices are protected behind other layers of defense.

Secure Your Networks (Wi-Fi and Wired) – Make sure all networks are secured appropriately, especially Wi-Fi, as that is accessible from a considerable distance. In fact, Wi-Fi is so easy to access, you might even consider making it “Internet only” access. Make sure your firewall or router is configured properly, and consider using VLANs and other mechanisms to segment your network into protected zones. Does everybody need access to everything on the network? Probably not, but the tradeoff here is security versus administrative overhead and convenience.

Secure your Desktops – Giving employees non-Administrator access on their workstations is a best practice. Without administrator access, they can’t accidentally install a trojan horse – a malware embedded in an otherwise legitimate program. Additionally, this step is effective in stopping many garden variety malware that utilize security vulnerabilities. But it won’t stop them all – some malware can use a security vulnerability to leverage a “privilege escalation” (these vulnerabilities are disturbingly common.) Secondly, consider allowing only authorized, “whitelisted” applications to run on computers. This will require a specialized security agent running on the PC. As with many of these items, these steps represent a trade-off between security and administrative overhead and user convenience.

Physical Security – The most hardened server in the world isn’t secure if someone has physical access to it. Make sure the basics of physical security are in place for your entire facility. The same concept applies to network devices and your workstations. There is a device available that can be plugged “inline” into the keyboard USB connection and will record every keystroke made by the user…to be retrieved later by an attacker.

Have a Complete Set of Functional Backups – This probably doesn’t need too much explanation – do you have functional backups for all your key servers and other business-critical data? If a server were comprised deeply with a “root kit”, which is a deeply embedded malware that is difficult to remove, do you have a way to restore business-critical data to a server built from scratch? Additionally, consider desktop backups for your users. “Ransomware” has become disturbingly common amongst cyber-criminals – because it’s profitable. A ransomware can be contracted via all the normal malware vectors, but this variety will encrypt your data and hold it hostage, unless you pay for the decryption key. The best solution is to be able to restore from backups. If you pay, you’re perpetuating the success of this method…

Secure Remote Access – For secure remote access, use an encrypted Virtual Private Network (VPN) or equivalent remote login service. There are pros and cons to each approach. Any good firewall product will have a VPN option built-in, and there are many commercially available remote desktop access tools. If using a remote access service, make sure it’s secured properly and being used correctly by your users. Some of these programs default to allowing others (in the office) to see the desktop of the computer as it’s being controlled.

Full Disk Encryption – Full Disk Encryption should certainly be used on devices that are likely to be lost or stolen, and arguably for every device. Disk encryption uses a secret key and cryptographic algorithm to encode the entire contents of the hard drive. Without the key, the information cannot be read.

Cloud Security -Choose reputable providers and make sure you are employing best practices for your cloud services – and utilizing the features they make available. Two Factor Authentication (2FA) and geographical login restrictions are just two examples.

Vendors and Third Parties – Which vendors are providing services to you? What functions have you outsourced? Do these vendors have secure and good practice implemented for what they do? Are they inadvertently providing “back door” access to your network and systems? On a related note, how’s there Business Continuity (BC) and Disaster Recovery (DR) plan?

Lastly, you’ve got to “rinse and repeat”. These are processes that are never “done”, it’s a continuous process. Training of new employees, patching of servers, updating of firmware – it truly never ends.

The Human Element – the Ultimate Weak Link?

The last item in the list is certainly not the least important. In fact, training your employees to be security aware and conscious is the most important item in the list. A person can easily circumvent many of the protections inadvertently, if they don’t know better. Another reason is that “Social Engineering” is still a big success for attackers. Make sure your employees are up to date on the latest scams, and that they are suspicious of any unexpected emails, phone calls, etc. There is a particular scam that involves the web browser displaying a message, and an audible alarm, and even a toll-free number. The message is that your machine has a virus (it doesn’t) and when you call the number, you will get a real, live person. They will promptly take your credit card information, and do nothing, other than take your money. You might be thinking, well that sounds very obviously like a scam, yet people fall for it every day.

We also see other advanced scams, such as “counterfeit” web sites meant to look like cloud services you use regularly. They’ve taken the login page for a popular app and “cloned” it. If your users enter their credentials, the attacker can then do several things – send email on their behalf, access private information, etc. Note that 2FA will stop this sort of attack, but not every service provides a 2FA capability.

In summary, the human element is the most important. Make sure your employees are trained and knowledgeable.

How to Implement

What if you are missing some, or all, of the above? Create a prioritized roadmap, and implement as budget becomes available. There are training, hardware, and software options that can meet any level of budget.

Get Help from the Security Experts

If you’re missing any of the above, let us know, we’d love to help. The business should focus on business, and let IT security be handled by the experts. Give us a call at (407) 268-6626.